Indigenous authentication and searching system and method

ABSTRACT

An apparatus and system for authenticating and searching data is provided. The apparatus includes a tightly coupled housing, an authenticator in the tightly coupled housing, a first archival storage in the tightly coupled housing, an indexer in the tightly coupled housing, and an index storage in the tightly coupled housing. The authenticator receives a file from an external email system, the authenticator creates first and second self-authenticating copies of the file, the first archival storage stores the first self-authenticating file, the indexer dissembles the second self-authenticating copy into components of the second self-authenticating copy, and the index storage stores the components of the second self-authenticating in a searchable format.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of, and claims the benefit of priority from application Ser. No. 10/876,318, filed on Jun. 24, 2004 entitled “Indigenous Authentication for Sensor-Recorders and Other Information Capture Devices”, which is a continuation of application Ser. No. 09/626,044, filed on Jul. 27, 2000 entitled “Indigenous Authentication for Sensor-Recorders and Other Information Capture Devices”, now U.S. Pat. No. 6,757,828.

FIELD OF THE INVENTION

The present invention generally relates to a system and apparatus for authenticating and searching data.

BACKGROUND OF THE INVENTION

One purpose of the present invention is to provide a solution to the problem of either deliberate or inadvertent alteration of recordings. In this context, “recordings” refers to all recordings, including digital images, data files, and the more common audio recording.

Photographs, movies and printed materials have historically been regarded as media that can be trusted to be authentic copies of the original. Early attempts at alteration of photographs for the purposes of revisionist history were almost comically detectable with five people sitting at a table, but six pairs of legs underneath. Hand written, permanently bound, notebooks are used in research laboratories for their resistance against attempts at alteration. Recent technological advances have brought the ability to alter images to the neophyte level. When a master employs the advanced technology the alterations are almost completely undetectable. For this reason digital photography is seldom used in situations when “chain of custody” requirements exist to protect the authenticity of a recording be it photographic, written or auditory. For example, the picture of an accident scene could be altered to show bottles of alcoholic beverages around the driver, even if those bottles hadn't really been there when the picture was taken, but were a post accident embellishment.

A digital camera with apparatus for authentication of images produced from an image file is disclosed in U.S. Pat. No. 5,499,294. Referring to FIG. 3A of U.S. Pat. No. 5,499,294, a block diagram of a system including a digital camera is shown that produces a file image with a digital signature. A device specific decryption key is required to allow a file image to be authenticated. Furthermore, in order to determine whether a file image is authentic, the person performing the authentication must know which camera took the picture; due to the fact that each camera includes a unique private encryption key.

Another purpose of the present invention is to provide a system and apparatus for authenticating and searching data. Traditionally, the self-authentication of a data file and the indexing of a data file were technologically incompatible because self-authentication requires that the file is uncompromised, and indexing requires that the file is disassembled. The disassembly of a file is an unacceptable alteration of the file for verification of the file's integrity.

However, there is a continuing and ongoing need for a system and apparatus that creates self-authenticating copies of files received from an external system so that the integrity of the files can be verified upon their introduction into the system or apparatus. Simultaneously, there is a continuing and ongoing need to be able to search stored files.

SUMMARY OF THE INVENTION

It is desirable to provide an improved method and system for determining the authenticity of a sample of an environment. A digital signature is created that is a function of both the sample of the environment itself, as well as at least one parameter that is representative of at least one condition under which the digital sample was acquired. The sample is stored in memory together with the at least one parameter and the digital signature. Authenticity of the stored image is determined by creating a new signature from the stored image and at least one parameter, and then comparing the two signatures to determine if they are the same.

Such a method and apparatus is advantageous for several reasons. First, one aspect of the present invention is that it is not necessary to know what device sampled the environment because it only is necessary to have the stored sample, parameters, and signature. Second, encryption is not required for authentication purposes, thereby allowing information storage devices to be manufactured in a more cost effective manner.

It is also desirable to provide a system and apparatus for authenticating and searching data. The apparatus includes a tightly coupled housing, an authenticator in the tightly coupled housing, a first archival storage in the tightly coupled housing, an indexer in the tightly coupled housing, and an index storage in the tightly coupled housing. The authenticator receives a file from an external email system and creates first and second self-authenticating copies of the file. The first archival storage stores the first self-authenticating file, the indexer disassembles the second self-authenticating copy into components, and the index storage stores the components of the second self-authenticating in a searchable format.

Such a system and apparatus is advantageous because it stores self-authenticating files while simultaneously storing indexed components of the files that can be readily searched.

Other features and advantages of the present invention will become apparent from the following description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of one embodiment of the present invention showing a digital camera, a personal computer, and an external GPS unit;

FIG. 2 is a schematic diagram of a self-contained digital camera that incorporates certain aspects of the present invention;

FIG. 2A is a detailed schematic diagram of a self-contained digital camera that incorporates certain aspects of the present invention;

FIG. 3 is a flow chart of an operational sequence according to a first embodiment of the present invention;

FIG. 4 is a flow chart of the Pre Capture Operations from FIG. 3;

FIG. 4A is a flow chart of the Check Additional Inputs for Pre Capture Operations in FIG. 4;

FIG. 4B is a flow chart for recording the user controls during the Pre Capture Operation;

FIG. 5 is a flow chart of the Capture Operations from FIG. 3;

FIG. 6A is a flow chart of the Post Capture Operations from FIG. 3;

FIG. 6B is the continuation of the flow chart from FIG. 6A;

FIG. 7 is a flow chart of the Recording operation from FIG. 3;

FIG. 7A is a diagram of a file format for a signed digital image.

FIG. 8 is a flow chart of the Clean up and Preparation from FIG. 3;

FIG. 9 is a flow chart of the Authentication Sequence;

FIG. 9A is a flow chart of the RCA Operations from FIG. 9;

FIG. 9B-1 is a flow chart of the ELA/DER Operations from FIG. 9;

FIG. 9B-2 is a continuation of the flow chart from FIG. 9B-1;

FIG. 10 is a schematic diagram of a generic email system known in the art; and

FIG. 11 is a schematic diagram of an email system and authentication system of one embodiment of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

One aspect of the present invention is the concept and method of indigenous authentication. That is, a family of devices to create recordings with material to validate its authenticity. One embodiment of the present invention relates to digital photography where an image is authenticated as a whole. An intermediate version allows the authentication of less than the whole. An advanced version allows for recovery of damaged (altered from its original state) elements. Additional inputs including, but not limited to, date, time, latitude, longitude, altitude, roll, pitch, yaw, and compass heading can be made part of the image as well as the status of camera elements including camera identification, image sequence number, flash status, lens zoom factor, counter vibration status, focus status and focus quality. This additional information becomes part of the recording and can also be authenticated.

The present invention is applicable to information capture scenarios other than digital cameras such as self-authenticating identification documents, an extension of the notary public system, or electronic laboratory notebooks to replace the handwritten ones mentioned above. Once established as a trustworthy source; the indigenous authentication concept can be extended further for recording quality control, legal requirements and financial instruments.

A key to verifiable authenticity is to insure that the authentication information generation is tightly coupled to the sensor set and recorder. There can be nothing that can possibly alter the recording before the authentication information is generated. Authentication using this method requires neither comparison files, nor conventional or reverse encryption. The strength of authentication is increased by using one-time random elements and by the use of a random string, regenerated under user control. Although not required for basic operation, the resulting recording can be optionally encrypted to conceal the information. The absence of required conventional encryption or reverse encryption eliminates the need for a public registrar or record keeping relating to the management of decryption keys. As the authentication is indigenous there is no requirement to identify which recorder was used.

Referring to FIG. 2, an environment 2 can be sampled 1 in a variety of formats. In recording a single sample of a visual environment, a single frame optical recorder, generally known as a camera, is used. The sample taken, known as a “photograph,” has been recorded on positive transparency films (slides); negative transparency films (negatives); opaque or translucent prints; and more recently as digital files.

In recording a continuous sample of a visual environment, a continuous optical recorder such as a video camera, movie film camera or a digital movie camera is used. These samples, generically called “movies,” have been recorded on transparency film, videotape and more recently as digital files.

In recording a sample of an auditory environment, a continuous audio recorder such as a tape recorder or a digital recorder is used. These samples, generally called “recordings,” have been recorded on a wide variety of wire, tape and digital files.

With the development of sensors and recorders, the recording of samples of taste, touch and smell can be accommodated in the same generic model. Also, samples are not limited to the five human senses. The method for authentication and verification disclosed in the present application can be used on samples taken from any sensor set including, but not limited to, the full range of physical, chemical, and spectral phenomena.

To ensure authentication, additional inputs 7 other than the sensor set 4 are not accessible to the user without detection as shown in FIG. 2. To accomplish this the additional inputs are shown inside the device physical boundary. Analog recorders may also be incorporated into this system through the use of analog to digital converters.

One use of the present invention is to create an image or data file that is considered “trustworthy” in any situation where proof of authenticity is necessary. This includes, but is not limited to, legal evidence, insurance claims, project management, scientific research, invention, quality control, identification, intelligence gathering, purchasing, command and control, law enforcement, document and image transmission.

The increasingly rapid transition to digital capture, analysis, storage, transmission, distribution and use of information, using increasingly sophisticated hardware and software for creation and capture tools, makes it increasingly difficult to accept any image or data file as authentic on its face.

With the continued growth of personal computers in society and the increasing use of the internet, electronic miscreance including deliberate fraud and inadvertent changes caused by transmission or storage errors are on the rise. The need for authentication parallels that rise to counter proliferation of altered files. The need for authentication also increases with the potential damage an altered file might cause. For example, contracts, purchase orders, legal decisions, electronic bill payments, electronic invoices, quality control information, blue prints, designs: all of these could cause great harm if an altered version were believed to be authentic. It is not unreasonable to presume that indigenous authentication might become the norm, in an attempt to prevent or derail any possible malicious acts by miscreants.

One aspect of the present invention allows generally complete mitigation of the threat of undetected image alteration and subsequent use of the altered image for purposes of deliberate or unknowing deception. Thus, a framework is provided for future devices to accomplish similar ends and provide a solution to an ever more troubling social and economic problem, namely the eroding credibility of photographic images, especially in law enforcement where the images may become evidence in a legal proceeding.

Referring to FIG. 1, a schematic diagram of one embodiment of the present invention showing a digital camera, a personal computer, and an external GPS unit is shown. A general purpose microcomputer 252 is used to simulate the processor 157 and its programming. The mouse 256 and keyboard 257 are used to simulate the user's setting of controls (See FIGS. 2A, 9 10 11 12 13). The microcomputer's monitor 253 is analogous to the process monitor 8 shown in FIG. 2A. An external geographic positioning system 254 (GPS) is used instead of an internal 44 one. An externally connected digital camera 255 simulates the lens sensor set 73, auto focus 19, and flash generator 30. The microcomputer's 252 floppy drive (not shown) performs the function of the recorder 142 and the 3.5″ floppy disk 259 is the removable storage media 141.

Referring to FIG. 2A, a device model for a single frame optical recorder, more commonly known as a camera, is shown. FIG. 2A does not show the externally supplied source or internal batteries that must power this device. In this camera, the user may access the process monitor 8. For approximate aiming, access may be gained through a shaft, parallel to the axis of the lens. Access to the process monitor 8 may also be gained through a processor 157 controlled recreation of the current scene. Indicators appear on the process monitor indicating flash status, zoom status, etc.

Operators may aim the device, activate the device, and set user controls, including but not limited to, flash 9, zoom 10, random string recording (RSR) 11, or optional encryption 12. During the operation of the camera, internal security 14 is monitored to detect the integrity of the tight coupling of the sensor set and the recorder 6.

Referring to FIG. 3, when the processor 157 receives an activation signal, the multi phase operating cycle proceeds through the pre capture, capture, post capture, recording, clean up and preparation operations before returning to the pre capture phase. To reduce the time within each phase, parallel processing and other engineering techniques are used.

Referring to FIG. 4, the pre capture sequence is the most common operating phase of the unit. The device cycles in the pre capture operation 65 until activated by user control 13, or turned off 15 in preparation for normal termination 95. If the device is turned on and inadequate 16 power is present to complete the operating cycle, the user activation will have no effect. An indication 17 is given to the user through the process monitor and no further processing is completed 66.

If sufficient power is present to complete the operating cycle, the additional inputs and components are checked. Referring to FIG. 4A, the auto focus 19 sensor and processor are then checked 20. If a malfunction 21 is present the process monitor 8 will be updated with an error message 22 to inform the user.

Independent of the auto focus's status, processing continues checking the focus quality sensor 23, the flash generator 30, counter vibration unit (C-VIBE) 35 and the roll, pitch, yaw (RPY) unit 40. These tests are performed in order (20, 25, 29, 34, and 39) independent of resulting status. At each stage, if a malfunction is present, the process monitor is updated with an error message to inform the user (27, 32, 37 and 250).

The status processing continues 42 with a check 43 of the global position system (GPS) unit 44. If there is a malfunction 45, the value “NO GPS” is recorded 46. If no malfunctions 47 are present, the current GPS coordinates and other GPS information are recorded 48 and the process monitor 8 is updated 49 with an error message or the current coordinates.

Independent of the GPS status, processing continues 50 with a check 51 of the internal compass 52. If a malfunction 53 is present, the value “NO COMPASS” is recorded 54. Otherwise 55 the current compass heading is recorded 56 and the process monitor 8 is updated 57 with an error message or the current heading.

Independent of the compass status, processing continues 58 with a check 59 of the internal security system 14. If there is a breach of security 60 the violation is recorded 61. Otherwise 62 the value “ImageGuard” is recorded 63 and the process monitor 8 is updated 64 with the violation or “ImageGuard”

Referring to FIG. 4, after the additional inputs and components are checked 18, the user control modifications are recorded 67. Referring to FIG. 4B, the current setting for the flash generator 30 is checked 68 against the flash settings 9 provided by the user. If not identical 69, the setting for the flash generator 30 is set 70 to that provided by the user.

The user's zoom setting 10 is then checked 72 against the zoom setting of the lens 73. If not identical 74, the setting for zoom 73 is set 75 to that provided by the user. The current random string record (RSR) value is then checked 77 against the setting 11 provided by the user. If not identical 78, the RSR value is set 79 to that provided by the user. The two possible values are “Y” for “Yes, record a new random string with the next image” and “N” for “No, don't record a new random string with the next image.”

The current encryption value is then checked 81 against the encryption value 12 provided by the user. If not identical 82, the current encryption value is set 83 to that provided by the user. The three possible values are “Y” for “Yes, produce an encrypted image only”, “N” for “No, don't produce an encrypted image, produce an unencrypted image only” and “B” for “Produce both an encrypted image and an unencrypted image.” During this process the process monitor 8 is updated 85 to reflect any changes made.

Referring to FIG. 4, once the user control modifications are recorded 67, processing continues 86 with a test 87 for adequate recording media. If there is inadequate recording media 88 the process monitor 8 is updated 89 with an error message and no further processing is completed 90 past this point.

After the test dealing with adequate recording media is completed 91, all pre capture operations are complete. A test 92 is made for the status of the activation control 13. If the control is not active 93, processing is cycled 65 and if active, processing continues 94 with capture operations

Referring to FIG. 5, once the user activation control 13 is active, processing moves from pre capture operations (see FIG. 4) to capture operations. (see FIG. 5) Current values are acquired 96 from the GPS and Compass system. If the GPS is not active 45, the “NO GPS” value 46 is recorded. If the GPS is active 47, the GPS coordinates 48 are recorded as is the current date and time. If the Compass is active 55, the current heading is recorded and if not active 51, the “NO COMPASS” value 54 is acquired.

At this point, if required 97, the counter vibration unit (C-VIBE) is activated 98 to counter vibration. The roll, pitch and yaw (RPY) sensors are activated 99, and the need to prime 105 the flash unit is determined. A test is made for the user commanding the flash on or off 100. If the flash is commanded on 101 or auto flash detects 103 the requirement 104 for a flash, the flash is primed 105 and the image is captured with flash 108. Otherwise the image is captured without a flash 107.

Focus quality points are detected 109 by accessing the focus quality additional input 23. The number of focus quality points is selected, and the maximum range and minimum range are recorded. Here the camera uses either sound ranging, or another technology to measure depth of field. This procedure is required for auto focus and would detect the reproduction of a picture. This procedure also reports the number of points with differing ranges as well as the closest and farthest focus quality points from the camera. For example, “10p 1 m Inf” would mean 10 points of differing depth, the nearest being one meter, the farthest is infinity.

Referring to FIG. 6A, once the image has been captured (see FIG. 5) processing moves to post capture operations. First the CCD (or other sensor) is polled 110 to gather the image and prepare it for recording. The GPS values for latitude, longitude, altitude, date, time, and satellites used for the positioning; that were previously acquired 96, are then appended 111 to the image. If the GPS was not functional 45 the “NO GPS” value 46 is appended 111 to the image. The AutoFocus status; number of focus quality points 109; maximum range and minimum range; flash value (commanded on, commanded off, auto-flash required, or auto-flash not required); counter vibration value (active 98 or not); roll, pitch and yaw (RPY) values; recorded compass heading 96; lens 73 zoom setting; camera identifier (CamID 124 set by the factory and unalterable by the user); current image sequence number 125; current random string 126; and file type (127 set by the factory and unalterable by the user) are all appended to the image. If internal security is compromised 60 a security violation 61 is appended 123 to the image. Otherwise the “ImageGuard” value is appended 123 to the image.

Referring to FIG. 6B, there are three levels of authentication and damaged element recovery. The initial level is total image authentication (TIA). At this level only the entire image is authenticated or not. The second level is row/column authentication (RCA) where each row and column of the picture elements (pixels) can be authenticated independently. Under RCA, less than the whole image can be authenticated. The third level is elemental level authentication (ELA) and damaged element recovery (DER).

Under the ELA structure, each and every single pixel can be authenticated independently. If a single pixel fails authentication (damaged) there are structures added to the image in the post capture operation which provide multiple methods of determining the original value of the damaged pixel. This is called damaged element recovery (DER). Initially the level of authentication and damaged element recovery is to be set at the factory so that no affiliated user control (9, 10, 11, 12, and 13) is shown. There can be only one level of authentication (TIA, RCA, ELA/DER) active per use. (See FIG. 9 “Authentication Sequence” and more on authentication.)

If RCA is elected 128, the RCA structures and values are computed and appended 129 to the image. If ELA/DER is elected 130, the ELA/DER structures and values are computed and appended 131 to the image. The signature protocol used in this device is the commercially available MD5, but the signature protocol is not limited to the MD5. The digital signature 132, which is a function of the signature protocol (SP) being used and the block, is computed and made part of the file. (SIGNA=f (SP (Block))) The Block 144 is the digital data composed of the image and optionally: additional information, the camera id, the random string, the camera decryption key, and the RCA and ELA/DER structures and values.

If the user has elected 133 no encryption, or both encrypted and unencrypted, as set by the user control 12 and evidenced by the encryption value 83, then an unencrypted version of the complete image file is created 134. If the user has elected 135 encryption, or both encrypted and unencrypted, as set by the user control 12 and evidenced by the encryption value 83, then an encrypted version of the complete image file is created 136.

Referring to FIG. 7, if the user has elected 137 no encryption, or both encrypted and unencrypted, as set by the user control 12 and evidenced by the encryption value 83, then an unencrypted version of the complete image file is written 138 by the recorder 142 on the recording media 141. If the user has elected 139 encryption, or both encrypted and unencrypted, as set by the user control 12 and evidenced by the encryption value 83, then an encrypted version of the complete image file is written 140 by the recorder 142 on the recording media 141.

Referring to FIG. 2A, a 3.5″ floppy drive 142 and removable 3.5″ floppy diskette 141 are shown as the recorder and recording media. Other available recording options include flash RAM with removable memory modules, and storage not internal to the device via infra red, serial, Ethernet, Token Ring, parallel, universal serial bus (USB), firewire or other communication mode to either a single computer or a network of computers.

Referring to FIG. 7A, the files created by the Signa2 process are in a format generally accepted by the industry. Most specifically, the Signa2 files are not proprietary. Additional information is contained within the file, but the addition of the information is in compliance with the standards for the format.

There are two braces in the figure. The first titled “Image” indicates the two elements that are viewable by programs compliant with generally accepted industry formats. Elements outside this brace are not viewable by programs compliant with generally accepted industry formats. The second 144 titled “Block” indicates the elements covered by the signature 145. Everything inside the “Block” is what is signed.

Elements with hash marks 161 are optional and not required to fulfill the basic purpose of Signa2 devices. A tightly coupled image 146 and signature 145 are the minimum required elements for the Signa2 process.

The sensor set 73 acquires the image 146, which is the minimum viewable information. Additional data from the camera 147, viewable by the user, include: Global Positioning System (GPS) information 111; zoom settings; AutoFocus status; the results of the focus quality sampling; roll, pitch and yaw (RPY) values; the compass heading; flash status; File Type; CamID; Seq 120; and Security Value.

The GPS information 111 may include 48 latitude, longitude, altitude, date, time, satellites used in the determination or “NO GPS” 46 if there is a fault 45 with the system. The zoom setting 75 information includes the setting used by the lens 73 for capturing the image expressed either in millimeters with 50 mm being “eye-normal”, or in X where 1× is 50 mm. The compass heading 117 includes information on which way the camera was pointing at the time the image was captured.

The flash status 114 information includes the commands, Commanded ON, Commanded OFF, Auto ON or Auto OFF. In the flash status, the first two refer to settings forced by the user and the latter two refer to the user allowing the camera to decide to flash or not and whether it did or not. There may be other options.

The CamId 119, or camera identification code, is set at the factory and part of each image. Examples are SHEP0001 or MOLL0454. Although not required for authentication it does provide a means of determining, at least initial ownership of the device.

Seq 120, is the sequence number for unique image identification, automatically incremented. When used with CamId above BECK5102-98312 uniquely identifies the camera and the picture.

The two Security Values 123 are ImageGuard and NONVERIFIED. ImageGuard appears if no internal errors are detected and the security is not compromised. NONVERIFIED (or other indication of compromise) appears if security is compromised within the system.

Other segments within the File Structure include Camera ID 148; Random String 149; Camera Decryption Key 150; RCA and ELA/DER structures and values 160; and the digital signature 145. The Camera ID 148 is the unique camera identification, the same as above, but in a section of the file not viewable by the user. The Random String 149 is the current random string and is made part of the file. The Camera Decryption Key 150 is a camera specific decryption key that stays in the camera.

Referring to FIG. 8, this figure illustrates the process for clean up and preparation. In this portion of the process, functions not useful in pre capture operations (see FIG. 4) are deactivated and preparations are made for subsequent image capture. The counter vibration, and the roll, pitch, yaw are deactivated 151, 152 and the image sequence number is incremented 153.

If the “Random String Recording” has been set 79 to YES by the user control 11, the image itself and other information (Referring to FIG. 7A) are used to generate 155 a new random string that replaces the previous random string. The “Random String Recording” 79 is then reset 158 to NO and the user control 11 is set 159 to NO. Temporary resources used by the processor 157 are then deallocated 156 to prepare them for re-use.

It is important to note that the previous random string is used for the image just created. Therefore, frequent resetting of the random string will deter pattern recognition and increase security. This is discussed in the “Role of the random string in increasing the strength of the digital signature” below.

Referring to FIG. 9, authentication starts with a file believed to contain an image and the additional items (see FIG. 7A) to make the file authenticatable as a Signa2 image. The authentication program must be easily and freely available from a secure public source. Otherwise someone seeking to deceive could provide a faux-authentication program to generate a forced-negative or forced-positive authentication.

The program starts 162 with a self diagnostic to insure that the authentication program itself has not been damaged or corrupted. This self diagnostic is repeated each time processing reaches this 162 point to guard against alterations made after the program has been loaded. Should the self diagnostic fail the program immediately ends with an error message. This self diagnostic procedure and the possibility of a failure are not shown on FIG. 9.

Once the authentication program has been loaded the user is presented with an opportunity to select a file or elect program exit. If the user elects program exit the authentication program ends 163. If an encrypted file is selected 164, an attempt 165 is made to decrypt the file. This may require a decryption key obtained from the user or taken from the file 150. If a decryption error 166 occurs, an error message 167 is displayed and the program cycles back to start 162

If the file was not 168 encrypted or was decrypted without error 169, a test 170 is made to confirm that the file is in the Signa2 format. If the file is not 171 in Signa2 format, the file is not authenticatable 172 and the program cycles back to start 162

If the file is 173 in Signa2 format, the block 144 is separated 174 from the signature 145 and the signature is recalculated 175 from the original block 144. If the recalculated signature (SIG_(R)) matches 176 the provided signature (SIG_(P)), the image may be viewed 248 and is marked authenticated 249 as a valid image using total image authentication (TIA). The program then cycles back to start 162.

If the two signatures do not match, and the authenticator program has been acquired from a trusted source and is free from alteration; then the image file has been damaged or altered. This is a true-negative, an image properly determined not to be authentic. With an uncompromised authenticator program, a Signa2 image file using TIA level authentication cannot generate false-negatives. The image and the signature are in a single file and altering the file, either intentionally or accidentally, constitutes invalidation and a proper negative authentication.

If the recalculated signature (SIG_(R)) does not 177 match the provided signature (SIG_(P)), a series of tests are made for one of three authentication levels. If only total image authentication (TIA) is available 178 then no further operations are available 179. The image is viewed 180 and marked unauthenticated 181. The program then cycles back to start 162.

Referring to FIG. 9, if row/column authentication (RCA) is 182 elected, processing continues with RCA Operations and the program cycles back to start 162. If row/column authentication (RCA) has not 183 been elected, a 184 test for elemental level authentication/damaged element recovery (ELA/DER) is made.

Referring to FIG. 9B-1, if ELA/DER has 186 been elected, processing continues with ELA/DER Operations and the program cycles back to start 162. If ELA/DER has not been elected 185, there is an error condition as one of the three levels of authentication (TIA, RCA, ELA/DER) should be available. This error condition is handled by reporting no further operations are available 179. The image is viewed 180, marked unauthenticated 181 and the program cycles back to start 162.

Referring to FIG. 9, row/column authentication (RCA) is elected 182 when a file in a Signa2 format 173 has a signature failure 177. The signature used in comparison 145 is a single signature for the entire file. RCA structures and values 160 provide for a method of detecting errors, not at the whole file level, but at a level for each row and column. Checking each row and column provides two opportunities to detect an error for each pixel.

Cyclic Redundancy Check (CRC) is the method used to describe this form of error detection. There are several varieties of CRC as well as other algorithms for error detection of this type. Although CRC is used here for description purposes, other error detection codes (or error correction codes such as Hamming and Reed-Solomon) may be implemented to augment or replace the CRC error detection code.

Referring to FIG. 9A, a digital image consists of picture elements, known as pixels, arranged in a matrix of rows and columns. RCA Operations commence by stepping 187 through each row of the image testing 188 the CRC for internal integrity. Although CRCs do not contain an inherent internal integrity test, part of the RCA structures include additional values to test the CRC. If the CRC fails 189 this self test, all pixels in that row are marked as damaged, but potentially false negatives (PFN) 208.

If the CRC itself is ok 191, the entire row of pixels is used to compute 192 a new CRC for the row. This new CRC is compared to the original CRC. If they do not 193 match, all of the pixels in the row are marked as damaged 190. If the new CRC does 194 match the original CRC, all of the pixels in the row are marked 195 ok.

RCA operations continue by stepping 196 through each column of the image and testing 197 the CRC of each column for internal integrity. If the CRC fails 198 this test, no further operations are conducted on the column of pixels. If the CRC itself is ok 200, the entire column of pixels is used to compute 201 a new CRC for the column. If the new CRC does not 202 match the original CRC, no further operations are conducted on this column. If the new CRC does 203 match the original CRC, all of the pixels in the column are marked 204 ok.

A pixel may be marked in one of six ways: Ok—ok from row CRC 195 and column CRC 204; Damaged—ok from row CRC 190 and column CRC 204; Damaged_(PFN)—ok from row CRC failure 189 208 and column CRC 204; Ok—null from row CRC 195; Damaged—null from row CRC 190; and Damaged_(PFN)—null from row CRC failure 208. There is no second status because of column CRC failure 202.

The nature of the two operations (row and column) generate a matrix where some rows of pixels may be marked as damaged in the row operations and some of those pixels changed from damaged to ok by the column operations. This is because an entire row is marked damaged or ok. If a column is marked ok, the pixels that may have been marked damaged as part of a whole row were not in fact damaged and are changed to being ok. As an example, a single damaged pixel would cause a whole row to be marked as damaged in row operations. Column operations would mark every column ok except the column that had the damaged pixel. The end result is an image with a single pixel marked damaged.

Once the image has been authenticated the user selects 199 from a list of presented display options 205. The display options are: Option A—Display only the original image without any modification; Option B—Display the original image with damaged pixels forced to white; Option C—Display the original image with damaged pixels forced to black; Option D—Rock A and B; Option E—Rock A and C; Option F—Statistical Report; and Option G—End display options. “Rocking” refers to rapidly displaying two alternating images.

The statistical report under Option F contains the following elements: F1 contains the total number of pixels in the image. F2 contains the total number of pixels marked ok—ok, Damaged—ok, Damaged_(PFN)—ok and ok—null, expressed as a number, and as a relative percent of the total number of pixels (F2/F1)*100 known as the “Undamaged Percentage.”

Ok—ok pixels passed both row 194 and column 203 CRC test. Ok—null pixels passed the row 194 CRC test, but the column CRC was damaged 198 and provided no additional information. Damaged—ok pixels were not actually damaged. The pixels were marked damaged because the new row CRC did not match 193 the original row CRC, and the whole row was marked 190 damaged even though the pixels passed 203 the column CRC test. Damaged_(PFN)—ok also contains pixels that were not actually damaged. The pixels were marked damaged due to the row CRC failure 189 that caused the entire row to be marked Damaged_(PFN) even though the pixels passed 203 the column CRC test.

F3 contains the total number of pixels marked Damaged—null expressed as a number, and as a relative percent of the total number of pixels in the image (F3/F1)*100 known as the “True Negative Percentage.” The pixels were marked Damaged—null because the new row CRC did not match the original row CRC test 193. There is no second status because of column CRC failure 202.

F4 contains the total number of pixels marked Damaged_(PFN)—null expressed as a number, and as a relative percent of the total number of pixels in the image (F4/F1)*100 known as the “Potential False Negative Percentage.” The pixels were marked Damaged_(PFN)—null because the row CRC failed 189 208 the self test and the pixel could not be authenticated as ok due to column CRC failure 202. The sum of the relative percents of F2, F3, and F4 should equal 100%, and the sum of F2, F3, and F4 should equal F1.

The user may continue to select 206 alternate display options until they elect to end display options 207. At that point RCA operations are concluded.

Referring to FIG. 9B-1, ELA/DER Operations occur when a file in Signa2 format 173 has a signature failure 177, and both element level authentication (ELA) and damaged element recovery (DER) authentication are elected 186. The signature used in comparison 145 is a single signature for the entire file. ELA/DER structures and values 160 provide for a method of determining authentication, not at the whole file level, but at a level for each element.

The ELA/DER structure includes a complete duplicate of the image, compressed and encoded. It is this duplicate image that allows for elemental level authentication and damaged element recovery. In the description below the original version of the image, the one the user can see, is referred to as the “Primary Image”, abbreviated PI. The compressed and encoded version of the image is referred to as the “Backup Image”, abbreviated BI. Both the Primary Image and the Backup Image have row and column CRCs, or other error detection protocols.

Referring to FIG. 9B-1, initially each row 209 of the primary image (PI) is stepped through and a self test 210 is performed on each primary image row CRC. If the CRC fails 211 the self test, all of the pixels in the primary image row are marked 212 Damaged_(PFN) as potential false negative damaged pixels. If the primary image row CRC passes 213 the self test, a new primary row CRC is computed 214 from the pixels in the primary image row. If the new primary image row CRC matches 215 the original primary row CRC, all the pixels in the row are marked 216 as ok (undamaged). If the new primary image row CRC does not 217 match the original primary row CRC, all the pixels in the row are marked 218 as damaged.

Referring to FIG. 9B-2, once the row-wise process is complete, each column 219 of the primary image is stepped through with a self test 220 performed on the primary image column CRC. If the CRC fails the self test 221, no further operations are conducted on this column. If the primary image column CRC passes 222 the self test, a new primary column CRC is computed 223 from the pixels in the primary image column. If the new primary image column CRC matches 225 the original primary image column CRC, all of the pixels in that column are marked 226 ok. If the new primary image column CRC does not 224 match the original primary image column CRC, no further operations are conducted on this column.

Each pixel may be marked in one of six ways: Ok—ok from row CRC 216 and column CRC 226; Damaged—ok from row CRC 218 and column CRC 226; Damaged_(PFN)—ok from row CRC failure 212 and column CRC 226; Ok—null from row CRC 216; Damaged—null from row CRC 218; and Damaged_(PFN)—null from row CRC failure 212. There is no second status because of column CRC failure 221

Authentication then starts on each damaged or damaged_(PFN) pixel with attempts to recover the original value of that element. Additional processing efforts are not made to distinguish between true negatives and false negatives due to the fact that the same damaged element recovery (DER) procedures are used on each.

To recover the value of a damaged primary image pixel the corresponding backup image pixel must first be located and validated. Validation of the corresponding backup image pixel can occur under either of the two scenarios. In the first scenario, the backup image ROW CRC for the corresponding backup image pixel is undamaged and the computed backup image ROW CRC matches the original backup image ROW CRC. In the second scenario, the backup image COLUMN CRC for the corresponding backup image pixel is undamaged and the computed backup image COLUMN CRC matches the original backup image COLUMN CRC.

Stepping 227 through each damaged or damaged_(PFN) pixel in the primary image is done to locate 228 the corresponding pixel in the backup image. The backup image will require decompression first. If the corresponding backup image pixel cannot 229 be located, it cannot be authenticated and it is not possible to recover the value of the primary image pixel 230. Once the corresponding backup image pixel is 231 located, a self test 232 is performed on the backup image ROW CRC.

If the backup image ROW CRC self test fails 233, the backup image ROW CRC is damaged and is unusable for authentication. The backup image COLUMN CRC for the corresponding backup image pixel is then used for authentication and a self test 235 of the backup image COLUMN CRC is performed.

If the backup image COLUMN CRC for the corresponding backup image pixel fails 236 the self test, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of the primary image pixel 230. If the backup image COLUMN CRC for the corresponding backup image pixel passes 239 the self test then a new backup image COLUMN CRC is computed 240.

If the new backup image COLUMN CRC matches 241 the original backup image COLUMN CRC 238, the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_(PFN) primary image pixel. If the new backup image COLUMN CRC does not match 243 the original backup image COLUMN CRC, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of the primary image pixel 230.

If the backup image ROW CRC self test succeeds 234, a new backup image ROW CRC is computed 251. If the new backup image ROW CRC matches 237 the original backup image ROW CRC then 238 the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_(PFN) primary image pixel. If the new backup image ROW CRC does not 242 match the original backup image ROW CRC, one or more of the backup image pixels in that row is damaged and the backup image column must be tested for authentication.

A self test 235 of the backup image COLUMN CRC is performed. If the backup image COLUMN CRC for the corresponding backup image pixel fails 236 the self test, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of the primary image pixel 230. If the backup image COLUMN CRC for the corresponding backup image pixel passes 239 the self test then a new backup image COLUMN CRC is computed 240.

If the new backup image COLUMN CRC matches 241 the original backup image COLUMN CRC 238, the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_(PFN) primary image pixel. If the new backup image COLUMN CRC does not match 243 the original backup image COLUMN CRC then the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of the primary image pixel 230.

Each pixel may then be marked in one of eight ways: Ok—ok, from row CRC 216 and column CRC 226; Damaged—ok, from row CRC 218 and column CRC 226; Damaged_(PFN)—ok, from row CRC failure 212 and column CRC 226; Ok—null, from row CRC 216; Damaged—null—recovered, from row CRC 218 (The original value of the pixel was recovered 238); Damaged—null—not recovered, from row CRC 218 (the original value of the pixel was not 230 recovered); Damaged_(PFN)—null—recovered, from row CRC failure 212 (the original value of the pixel was recovered 238); and Damaged_(PFN)—null—not recovered, from row CRC failure 212 (the original value of the pixel was not 230 recovered). Damaged—null and Damaged_(PFN)—null are replaced with the results of the recovery efforts

Once the authentication and recovery operations are completed the user is presented 244 with a list of eleven presented display options 245. Option A display only the original image without any modification Option B display the original image with damaged and damaged_(PFN) pixels forced to white. Option C display the original image with damaged and damaged_(PFN) pixels forced to black. Option D display the original image with damaged and damaged_(PFN) pixels replaced with recovered pixels. Unrecovered damaged and damaged_(PFN) pixels are forced to white. Option E display the original image with damaged and damaged_(PFN) pixels replaced with recovered pixels. Unrecovered damaged and damaged_(PFN) pixels are forced to black.

Rapidly displaying two alternating images is known as “rocking.” Option F rocks between A and B. Option G rocks between A and C. Option H rocks between A and D. Option I rocks between A and E.

Option J displays the Statistical Report containing the various elements. This option displays the total number of pixels in the image J1. It also displays the total number of pixels marked ok—ok, Damaged—ok, Damaged_(PFN)—ok and ok—null, expressed as a number, and as a relative percent of the total number of pixels (J2/J1)*100 known as the “Undamaged Percentage” J2. Ok—ok pixels are those that passed both row 216 and column 226 CRC test. Ok—null pixels are those that passed the row 216 CRC test, but the column CRC was damaged 221 and provided no additional information. Damaged—ok pixels are those that were not actually damaged. The pixels were marked damaged because the new row CRC did not match 217 the original row CRC and the whole row was marked 218 damaged. These pixels passed 225 the column CRC test. Damaged_(PFN)—ok pixels were those that were not actually damaged. The pixels were marked damaged_(PFN) because of row CRC failure 211 caused the entire row to be marked 212 Damaged_(PFN). The pixels passed 225 the column CRC test.

Option J also displays the total number of damaged—null—recovered pixels as a number, and as a relative percent of the total number of pixels (J3/J1)*100 known as the “Damaged and Recovered Percentage” J3. The total number of damaged—null—not recovered pixels are also displayed as a number and as a relative percent of the total number of pixels (J4/J1)*100 known as the “Damaged and Not Recovered Percentage” J4.

Option J displays the total number of damaged_(PFN)—null—recovered pixels as a number and as a relative percent of the total number of pixels (J5/J1)*100 known as the “Damaged_(PFN) and Recovered Percentage” J5. It also displays the total number of damaged_(PFN)—null—not recovered pixels as a number and as a relative percent of the total number of pixels (J6/J1)*100 known as the “Damaged_(PFN) and Not Recovered Percentage” J6. The sum of J2, J3, J4, J5 and J6 should equal J1, and the sum of the relative percents of J2, J3, J4, J5 and J6 should equal 100%.

The final option that may be selected is Option K to end display options. The user may continue to select 246 alternate display options until they elect to end display options 247. At that point ELA/DER operations are concluded.

The following is information on True Negatives, False Negatives and False Positives using row/column authentication (RCA) given that an authenticator program has been acquired from a trusted source and is free from alteration.

If a pixel is damaged (altered from its original state) and this damage is detected by the RCA operations then the pixel is a true-negative, part of an image properly determined not to be authentic. Using RCA it is possible to generate a false negative, that is where a pixel is in fact authentic, but is being marked as damaged.

There are eight possible cases of pixel authenticity/damage, row CRC authenticity/damage, and column CRC authenticity/damage.

Case A B C D E F G H Pixel Damaged N Y N N Y Y N Y Row CRC Damaged N N Y N Y N Y Y Col CRC Damaged N N N Y N Y Y Y Y = damaged N = not damaged or ok The number of possibilities can be expressed as $\frac{\left( {{The}\mspace{14mu} {number}\mspace{14mu} {of}\mspace{14mu} {elements}} \right)!}{\left( {{Number}\mspace{14mu} {of}\mspace{14mu} {identical}\mspace{14mu} {elements}} \right)!}$

There are three elements in all cases. Case A is the case in which none of the three items are damaged. There is the single case with zero Y and three N. (3!/3!=1) Cases B through D are the cases in which a single item of the three are damaged. There are three cases with one Y and two N. (3!/2!=3.) Cases E through G are the cases in which two of the three items are damaged. There are three cases with two Y and one N. (3!/2!=3.) Case H is the case in which three of the three items are damaged. There is one case with three Y and zero N. (3!/3!=1.)

Only in case G where both the row CRC and column CRC are damaged, and the pixel is not damaged, would a false negative be generated. Failure 189 of the row CRC self test would cause all the pixels in the row to be marked damaged_(PFN) 190. The column CRC would also fail 198 the column CRC self test and the pixel would remain marked as damaged_(PFN). In case H, both the row CRC and column CRC are damaged and would appear to mimic case G, except that this is not a false negative because the pixel is also damaged.

Using the same table it can be shown that a false positive (a damaged pixel being improperly authenticated as undamaged) is not a possible condition. Cases B, E, F, and H have damaged pixels. In case B, the row CRC is undamaged and the newly computed 192 row CRC would not 193 match the original row CRC. Thus all pixels in the row would be marked 190 as damaged. In case B the column CRC is also undamaged. The computed new column CRC 201 would not 202 match the original CRC and the pixels in the column marked as damaged would remain marked as damaged. Only if the new column CRC matches the original column CRC 203 would all the pixels in the column, including the damaged one, be marked 204 as ok.

In case E, the row CRC is damaged and it would fail 189 the row CRC self test 188 causing all pixels in the row to be marked 208 as damaged_(PFN). The column CRC is undamaged and would pass 200 the column CRC self test. The new column CRC would not 202 match the original CRC and the pixels in the column marked as damaged_(PFN) would remain marked as damaged due to the fact that when a row CRC is damaged, the row of pixels is marked as “damaged potential false negative” or damaged_(PFN). Only if the new column CRC matches the original column CRC 203 would all the pixels in the column, including the damaged one, be marked 204 as ok.

In case F, the row CRC is undamaged and would pass 191 the row CRC self test 188. The newly computed row CRC 192 would not match 193 the original row CRC causing all of the pixels in the row to be marked 190 damaged. In case F, the column CRC is damaged and it would not 198 pass the CRC self test and the pixels in the column marked as damaged would remain marked as damaged.

In case H, the row CRC is damaged and would fail 189 the row CRC self test 188 causing all pixels in the row to be marked 208 as damaged_(PFN). In case H, the column CRC is damaged and would not 198 pass the CRC self test. The pixels in the column marked as damaged_(PFN) would remain marked as damaged_(PFN) due to the fact that when a row CRC is damaged, the row of pixels is marked as “damaged potential false negative” or damaged_(PFN).

Under RCA, false positives, a damaged pixel being improperly authenticated as undamaged, cannot occur if the authenticator program has been acquired from a trusted source and is free from alteration

The following is information on True Negatives, False Negatives and False Positives using element level authentication (ELA) with damaged element recovery (DER). If a pixel is damaged (altered from its original state) and the damage is detected by the ELA operations then the pixel is a true-negative, part of an image properly determined not to be authentic. Using ELA it is possible to generate a false-negative, that is where a pixel is in fact authentic, but is being marked as damaged.

There are sixty-four (64) possible cases of primary image pixel authenticity/damage, backup image pixel authenticity/damage, primary row CRC authenticity/damage, backup row CRC authenticity/damage, primary column authenticity/damage, and backup column CRC authenticity/damage.

In table form these cases are

-   -   Y=damaged N=not damaged or ok     -   Group 1 Primary Image pixel is authentic and Backup Image pixel         is authentic

Case A1 B1 C1 D1 E1 F1 G1 H1 I1 J1 K1 L1 M1 N1 O1 P1 Primary Image N N N N N N N N N N N N N N N N Pixel Backup Image N N N N N N N N N N N N N N N N Pixel Primary-Row N Y N N N Y Y Y N N N Y Y Y N Y CRC Backup-Row N N Y N N Y N N Y Y N Y Y N Y Y CRC Primary- N N N Y N N Y N Y N Y Y N Y Y Y Column CRC Backup-Column N N N N Y N N Y N Y Y N Y Y Y Y CRC

Group 2 Primary Image pixel is damaged and Backup Image pixel is authentic

Case A2 B2 C2 D2 E2 F2 G2 H2 I2 J2 K2 L2 M2 N2 O2 P2 Primary Image Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Pixel Backup Image N N N N N N N N N N N N N N N N Pixel Primary-Row N Y N N N Y Y Y N N N Y Y Y N Y CRC Backup-Row N N Y N N Y N N Y Y N Y Y N Y Y CRC Primary- N N N Y N N Y N Y N Y Y N Y Y Y Column CRC Backup- N N N N Y N N Y N Y Y N Y Y Y Y Column CRC

Group 3 Primary Image pixel is authentic and Backup Image pixel is damaged

Case A3 B3 C3 D3 E3 F3 G3 H3 I3 J3 K3 L3 M3 N3 O3 P3 Primary Image N N N N N N N N N N N N N N N N Pixel Backup Image Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Pixel Primary-Row N Y N N N Y Y Y N N N Y Y Y N Y CRC Backup-Row N N Y N N Y N N Y Y N Y Y N Y Y CRC Primary- N N N Y N N Y N Y N Y Y N Y Y Y Column CRC Backup- N N N N Y N N Y N Y Y N Y Y Y Y Column CRC

Group 4 Primary Image pixel is damaged and Backup Image pixel is damaged

Case A4 B4 C4 D4 E4 F4 G4 H4 I4 J4 K4 L4 M4 N4 O4 P4 Primary Image Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Pixel Backup Image Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Pixel Primary-Row N Y N N N Y Y Y N N N Y Y Y N Y CRC Backup-Row N N Y N N Y N N Y Y N Y Y N Y Y CRC Primary- N N N Y N N Y N Y N Y Y N Y Y Y Column CRC Backup- N N N N Y N N Y N Y Y N Y Y Y Y Column CRC

In order to be a false negative: (1) the primary image pixel must be, in fact, undamaged (N); (2) initial operations must improperly indicate that the primary image pixel is damaged; and (3) all subsequent operations must fail to correct that improper indication.

The factor that in a false negative the primary image pixel must be, in fact, undamaged (N) limits the results to Group 1 and Group 3. The primary row CRC must be damaged (Y) to initially mark a row of PI pixels as damaged_(PFN). If the ROW CRC is undamaged and the row of pixels is undamaged, then pixel will be marked ok. This is not a negative, false or otherwise and limits the results to cases B, F, G, H, L, M, N and P in Group 1 and Group 3.

The primary column CRC must be damaged (Y) to preclude the correction of a pixel marked damaged by a damaged row CRC. In cases B, F, H, and M, the primary column CRC is undamaged (N) which would correct the improper identification of the pixel as damaged_(PFN) limiting the results to cases G, L, N and P in Group 1 and Group 3.

The backup row CRC must be damaged (Y) to preclude correction. In cases G and N, the backup row CRC is undamaged (N) and would correct the improper identification of the pixel as damaged limiting the results to case L and P in Group 1 and Group 3.

The backup column CRC must be damaged (Y) to preclude correction. In case L, the backup column CRC is not damaged (N) and would correct the improper identification of the pixel as damaged_(PFN). In case P1, the backup image pixel is also authentic, but because of the damage to all of the error detection structures (primary row CRC, primary column CRC, backup row CRC and backup column CRC) it cannot be validated as authentic. Only in cases P1 and P3 could an authentic pixel be marked damaged without the possibility of correction.

Using the same tables it can be shown that a false positive (a damaged pixel being improperly authenticated as undamaged) is not a possible condition. Group 2 and Group 4 both contain damaged primary image pixels. If the primary row CRC is damaged, all pixels in the row are marked damaged. If the primary row CRC is undamaged, the new row CRC will not match the provided row CRC and all pixels in the row will be marked damaged. For the purposes of isolating a case of false positive, it does not matter if the primary row CRC is damaged (Y) or not (N). The pixel will be marked as damaged or damaged_(PFN). Again, the primary image ROW CRC alone guarantees that a damaged pixel will be marked damaged or damaged_(PFN).

To be a false positive all detective and corrective mechanisms must fail in a mode to change the primary row CRC determination that the pixel is damaged or damaged_(PFN). If the primary column CRC is damaged 221 it will not change the determination that a pixel is damaged. If the primary column CRC is undamaged 222 the new PI COLUMN CRC will not match the original PI COLUMN CRC. Thus, it will not change the determination that a damaged pixel is damaged. For the purposes of isolating a case of false positive it does not matter if the primary column CRC is damaged (Y) or not (N). The damaged pixel will remain marked as damaged.

Backup row and column CRCs are used for damaged element recovery, not element level authentication. Thus, for the purposes of isolating a case of false positive it does not matter if the backup row CRC is damaged (Y) or not (N), and it does not matter if the backup column CRC is damaged (Y) or not (N). The damaged pixel will remain marked as damaged.

This eliminates all cases in Group 2 and Group 4 as possible sources of a false positive condition. As no other cases remain for consideration, false positives are not possible if the authentication program is free from unauthorized alteration.

Using the same tables we can determine if a damaged pixel can or cannot be recovered from the damaged element recovery structures. To be considered for recovery a primary image pixel must be either, in fact damaged or a false-negative (a pixel marked damaged that is, in fact, undamaged). This limits consideration to damaged pixels in Groups 2 and 4, and cases P1 and P3 for the two possible false-negative situations.

The backup image pixel must be, in fact, undamaged. All Group 4 cases where the BI pixel is damaged are not recoverable due to the fact that all false positives are not possible. The backup image control structures must authenticate it the BI pixel as undamaged. The backup row CRC can be damaged which would lead to the backup image pixel being improperly considered damaged. If the backup column CRC were undamaged, it would correct the improper designation of the backup image pixel as damaged.

An undamaged backup row CRC would indicate that the backup image pixel is undamaged. A damaged backup column CRC would not change the determination of the backup row CRC that the backup image pixel is undamaged. Thus, as long as either the backup image row CRC or backup image column CRC are undamaged, an undamaged backup image pixel can be authenticated and used to recover the damaged primary image pixel. Only in cases J2, M2, O2 and P2 are both the backup image CRC structures damaged and unable to authenticate the undamaged backup image as undamaged.

In the false positive cases of P1 and P3, both of the backup CRC structures are damaged and unable to authenticate the undamaged backup image as undamaged. Therefore, in all 16 cases of Group 4, cases J2, M2, O2 and P2, a damaged primary image pixel cannot be recovered. If P1 or P3 generates a false negative, the improperly identified damaged primary image pixel cannot be recovered.

The following is information on the role of the random string in increasing the strength of the digital signature. A series of examples and explanations shows how the use of one time and random elements increase the resistance of a digital signature to successful fraudulent impersonation.

Starting with a blank image and a constant signature algorithm, any true image could be altered to blank and the signature from a truly blank image could be added. The resulting altered image would be improperly validated as authentic with little effort. Clearly this is a weaker situation and an undesirable outcome as the same image generates the same signature.

In the adaptive signature, a signature is generated from the contents of the image. In the case of a blank image, the same signature would be generated. An image could be manipulated to blank and the signature duplicated from a properly signed blank image. This would allow the improper validation as authentic in a manner similar to the preceding with the same undesirable outcome.

An example of an adaptive signature is one that contains a one-time element. The addition of a one-time element allows for differing signatures even if the image itself is blank. One-time elements are never repeated such as date-time or image sequence number. Some convolution or manipulation of these one-time elements is desirable to preclude their easy forgery. This is a stronger solution as the same image generates differing signatures.

An adaptive signature may also be a signature that contains one-time elements and random elements. A “random string” is a sequence of characters generated from many variables including selected values from a previous image. The algorithm to create the random string is a trade secret and may differ from device to device even among the same production run of otherwise identical devices. The algorithm used may also vary from use to use of the same device. Two blank images captured a second apart with the same device can generate two widely different signatures. Two blank images captured at the exact same moment by two different devices can generate two widely different signatures. This creates a stronger solution than the adaptive signature containing only a one-time element.

Another variation is an adaptive signature with a one-time element and a one-time random element. The user has control over how often a new random string is created. If the random string were created anew after each image was captured, then pattern recognition of the resulting signature from the image is not possible as random elements are, by definition, not patterned. Unless the signature generation protocol and the random string generation algorithm were known or reverse engineered, the ability to sign a properly constituted Signa2 image resides solely inside the Signa2 devices. By varying the random string generation protocol between devices, varying between protocols between use to use of the same device, and regenerating the random string frequently, analysis of the results to determine the process (a form of reverse engineering) is an almost fruitless exercise.

Some embodiments of the present invention include a self-contained authentication system that creates self-authenticating copies of digital files and stores the self-authenticating files in a tightly coupled storage device. The authentication system may or may not be tightly coupled to the device from which the digital files originated. In these embodiments, the integrity of the file can be guaranteed once it is introduced into the tightly coupled authentication system.

A tightly coupled storage device refers to a security housing with a physical boundary. Components located inside of the physical boundary of the tightly coupled storage device are not accessible to a user or any other component outside of the security housing except as otherwise noted herein. Embodiments of the present invention include systems and methods to monitor the integrity of a tightly coupled security housing; that is, systems and methods are provided to determine whether the physical boundary of the tightly coupled security housing have been compromised.

The authentication system can include control circuitry, an associated programmable processor, and associated software, stored on a local computer readable medium, as would be understood by those of ordinary skill in the art. In embodiments of the present invention, the control circuitry, programmable processor, and associated software can, create, archive, and index the self-authenticating digital files so that the archived files can be authenticated and readily searched.

The authentication system of the present invention can receive digital files from an email system or other originating device or system. The digital files and copies thereof can be in a self-authenticating format. For example, as seen in FIG. 7A, the self-authenticating files and copies thereof can include the file data or image and a signature. The signature provided in the file must match the signature generated when verifying the authenticity of the file data or image.

The self-authenticating file can be stored in a first archival storage device that is tightly coupled to the authenticator. The authentication system does not have to be tightly coupled to the originating device or system, but rather the authentication system must only be connected to the originating device as known by those of skill in the art. Because the authentication system and components thereof are tightly coupled, once a digital file is introduced into the authentication system, the system can verify that the file is unchanged.

The first archival storage device can copy all or part of the stored self-authenticating file to a second device such as a DVD via a DVD writer. Once the self-authenticating file is copied to the second device, the file can be purged from the first archival storage device so that the first archival storage device does not have to be replaced as it becomes full. Alternatively, the entire contents of the first archival storage device can be stored by disconnecting the authentication system and archiving the files stored therein.

In other embodiments of the present invention, the authentication system can make second copies of the self-authenticating files to be sent to an indexer. The indexer can separate the files stored therein and create multiple indices of each file. The indexer can index each element or component of the files. For example, if the file is an email, the indexer can index the file by date/time, sender, receiver, message header information, message content, attachment name, embedded objects, content of attachments, contents of embedded objects, or any other element as would be known by those of skill in the art. The indexed components and files can be stored in an index storage where they can be searched by the various indexed elements as known by those of skill in the art.

When the files in the first archival storage device are copied to the indexer and stored in the index storage, the files in the first archival storage device remain unchanged and in their self-authenticating format. Accordingly, the authentication system of the present invention can provide for simultaneous self-authentication of digital files and index searching of the files stored therein.

FIG. 10 is a schematic diagram of a generic email system 300 known in the art. A network 310 can be either a local network or an external network, for example the internet. Lines shown in FIG. 10 represent connections between the various elements of the system 300. Arrowheads on the lines indicate the direction of the connection, and bilateral connections are represented by lines with arrowhead at each end. A device connected bilaterally to another device can both initiate and respond to requests.

A web server 320 of the system can be either a process running on a server or a special purpose computer. The web server 320 can receive requests from web browsers or other processes, service those request, and provide requesters with a display. The web server 320 can be bilaterally connected to a web client 322, such as a desktop computer, a laptop, a personal digital assistant (PDA) or the like running an email and/or calendaring program known by those of skill in the art directly. The web server 320 can be connected to the web client 322 via a local network or via the internet. The web server can also be bilaterally connected to an Internet Message Access Protocol (IMAP) server 330 and an outbound Message Transfer Agent (MTA) 340.

The IMAP server 330 can be either a process running on a network server or a special purpose computer running only the task of receiving requests. In addition to the web server 320, the IMAP server 330 can be connected to mail storage 360, a local IMAP client 332 and/or a remote IMAP client 334. The local IMAP client 332 can be, for example, a desktop computer, laptop, PDA or similar device running an email and/or calendaring program known by those of skill in the art and be directly connected to a local network. The remote IMAP client 334 can be, for example, a desktop computer, laptop, PDA, or similar device running an email and/or calendaring program known by those of skill in the art and connected to the network via the internet.

The mail storage 360 can be a database where mail is stored as known by those of skill in the art. Mail can be stored in a variety of different manners and formats as known by those of skill in the art. For example, the mail storage 360 could use multiple directories, one directory for each mail box, segmented databases, or a single database with a separate index for each function. Details of the mail storage 360 are not limitations of the present invention.

The outbound MTA 340 can be a program running as a process on a server or a special purpose computer running on that process. In addition to the web server 320, the outbound MTA 340 can be connected to an inbound MTA 350, a local IMAP client 342 and/or a remote IMAP client 344. The inbound MTA 350 can also be a program running as a process on a server or a special purpose computer and can be connected to the mail storage 360 via a non-standardized bilateral connection.

An incoming message, for example, an email message, can be received by the inbound MTA 350 via a Simple Mail Transfer Protocol (SMTP) via the internet. The message can then be transferred and stored in the mail storage 360 as known by those of ordinary skill in the art. The mail storage 360 can return an acknowledgement message to the inbound MTA 350 that the message was received and properly stored.

An outgoing message can be initiated by an IMAP client either locally (332 or 342) or remotely (334 or 344) or by a web client (322) either locally or remotely. If the message originates with an IMAP client, the message can be transmitted to the outbound MTA 340 directly, and if the message originates with a web client, the message can be transmitted to the outbound MTA 340 via the web server 320. The outbound MTA 340 can send the message using an SMTP protocol to either the inbound MTA 350 (for destinations within the organization's email structure-internal email) or to the internet (for destinations outside of the organization's structure-external email). A router and/or firewall 370 can protect the email system 300 by directing both the inbound SMTP line (from the internet to the inbound SMTP 350) and the outbound SMTP line (from the outbound MTA 340 to the internet) through the router and/or firewall 370.

It is known in the art to automatically initiate messages responsive to a received message. For example, a message reading “I am out of the office” or the like may be generated for messages received during a particular time frame. Automatically generated message can be sent from the outbound MTA 340 for outside mail or from the IMAP server 330 for internal mail as known by those of skill in the art.

Referring now to FIG. 11, a schematic diagram of an email system 300 and authentication system 400 of one embodiment of the present invention is shown. Like elements and devices of the email system shown in FIG. 10 are shown with like numerals.

The authentication system 400 is located between inbound and outbound message routes of the email system 300 so all messages going to or coming from the email system 300 must pass through the authentication system 400. There is no direct connection between the outbound MTA 340 and the inbound MTA 330.

The authentication system 400 is contained in a tightly coupled security housing 410, and all of the components of the authentication system 400 are tightly coupled to one another inside of the housing 410. The authentication system 400 is not user configurable and cannot be opened without detection; any tampering of the security housing 410 will be detected. The authentication system 400 can detect when its power has been turned off and any other disconnections.

The authentication system 400 includes a web server 420, an S2 indexer 430, an S2 authenticator 440, a spam filter and stripper 450, first archival S2 storage 460, a DVD writer 470, an S2 indexed storage 480, and a unitary storage 490. All messages from the outbound MTA 340 enter the security housing 410 of the authentication system 400 and are transmitted to the S2 authenticator 440. All traffic on the inbound SMTP line from the internet to the authentication system 400, on the outbound SMTP line from the authentication system to the internet, and on lines from the authenticator 440 to a remote image location are directed through a router and/or firewall 500 to protect the email system and the authentication system 400.

As seen in FIG. 11, there are two S2 authenticators 440′ and 440″. The authentication system could have one or two authenticators as would be known by those of skill in the art; each authenticator performs the same function.

When the S2 authenticator 440 receives a message from either the outbound MTA 340 (internal messages) or the internet (external messages), the S2 authenticator 440 ensures that the message is in a self-authenticating format as described herein. Then, the S2 authenticator copies the message; the copy or copies of the message are in a self-authenticating format.

The original message is transmitted to a spam filter and stripper 450 to determine if the original message is spam. Spam as known by those of skill in the art involves nearly identical messages sent to numerous recipients by electronic mail, such as unsolicited bulk email. If the message is spam, it is not delivered, but if the message is not spam, the message is transmitted outside of the authentication system to the either inbound MTA 350 (internal messages) or the internet (external messages). In embodiments of the present invention, if the message is spam, the spam filter and stripper 450 can detect the spam, strip the spam elements of the message and pass the non-spam elements of the message back to the authenticator 440 to deliver the message (minus the spam) to either the inbound MTA 350 or the internet.

As explained above, the copy or copies of the message created by the authenticator 440 are self-authenticating. For example, as seen in FIG. 7A, a self-authenticating copy can include the file data or image and a signature. The signature provided in the file copy must match the signature generated when verifying the authenticity of the file data or image.

The self-authenticating copy can be sent to a distributor 442, which can transmit the copy to the first archival S2 storage 460. The first archival S2 storage 460 is a database of authenticated messages, attachments, and embedded items. A second self-authenticating copy of the message can be made from the first self-authenticating copy or from the originally received file, and the second copy can be transmitted to the S2 indexer 430. The S2 indexer 430 can examine the second copy and any attachments or embedded items and extract various components by which to index the message. For example, the message could be indexed by one or more of the following components: sender, receiver, size, content, or other components as known by those of skill in the art. The indexed components can be stored in the S2 indexed storage 480.

Any attachments to the message can be copied in the same manner as the message itself and can also be self-authenticating. When the attachment copies are stored in the first archival S2 storage 460 and the S2 indexed storage 480, they can be logically connected to their respective message copies.

Items that are truly embedded in the messages can be logically connected to the message. Items that are remotely embedded in the messages can be retrieved via the internet. If the remotely embedded items are not too large or numerous, they can be logically connected to the message.

The first archival S2 storage 420 and the S2 indexed storage 480 can be coupled to the web server 420. The web server 420 can be a process that allows web-based communication to process the administrative functions of the authentication system 400. The web server 400 can be connected to a DVD writer 470 and a unitary storage 490.

The unitary storage 490 is a database that stores a copy of every message stored in the mail store 360 of the email system 300. Periodically, the authentication system 300 can make a request to the IMAP server 330 via an IMAP unitary read request and reply connection for new messages in the mail store 360. The IMAP server 330 can retrieve any new messages in the mail store 360 since the last request and transmit copies of those messages to the unitary storage 490 via the IMAP unitary read request and reply connection. If the IMAP server 330 does not respond in a timely manner to a request from the authentication system 400, the authentication system 400 can disconnect from the email system.

A DVD writer 470 known to those of ordinary skill in the art can be used to archive and create DVDs of messages stored within the authentication system 400. Part of the DVD writer 470 is exposed outside of the authentication system 470 to allow for insertion and removal of DVD media. However, the partial exposure of the DVD writer 470 does not affect the tight coupling of the authentication system 400 and security housing 410.

Even though there is no connection between the outbound MTA 340 and the inbound MTA 350, in embodiments of the present invention, the IMAP server 330 can detect an automatically initiated internal message that is responsive to an internally received message and send the automatically initiated internal message directly to the mail storage 360. When the authentication system 400 sends a periodic query to the IMAP server 330 for copies of new messages in the mail storage 360, the unitary storage 490 will detect any new automatically initiated internal message that did not get authenticated through the authentication system 400. However, header information in the metadata of the automatically initiated internal message will indicate that the message was automatically generated.

While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is considered as illustrative and not restrictive in character, it being understood that all changes and modification that come within the spirit of the invention are desired to be protected. 

1. An apparatus for authenticating and searching data comprising: a tightly coupled housing; an authenticator in the tightly coupled housing; a first archival storage in the tightly coupled housing; an indexer in the tightly coupled housing; and an index storage in the tightly coupled housing, wherein the authenticator receives a file from an external email system, the authenticator creates first and second self-authenticating copies of the file, the first archival storage stores the first self-authenticating file, the indexer dissembles the second self-authenticating copy into components of the second self-authenticating copy, and the index storage stores the components of the second self-authenticating in a searchable format.
 2. The apparatus as in claim 1 further comprising a spam and filter stripper, the spam and filter stripper strips the file received from the external email system of spam.
 3. The apparatus as in claim 1 further comprising a web server coupled to the first archival storage and the indexer storage.
 4. The apparatus as in claim 3 further comprising a unitary storage coupled to the web server and the external email system, the unitary storage sends period inquiries to the external email system via the web server to retrieve messages stored in a mail storage of the external email system.
 5. The apparatus as in claim 3 further comprising a DVD writer coupled to the web server.
 6. A system for authenticating and searching data comprising: a tightly coupled housing; and a circuit in the tightly coupled housing that is adapted to receive a data file from an originating system, create first and second self-authenticating copies of the data file, store the first self-authenticating data file in a first archival storage, index components of the second self-authenticating data file, and store the indexed components in a user-searchable format.
 7. The system of claim 6 wherein the index components include one of date, time, sender, receiver, file header information, file content, attachment name, embedded object name, attachment content, or embedded object content.
 8. The system of claim 6 wherein data stored in the first archival storage is copied to a second storage device.
 9. The system of claim 8 wherein the second storage device is a DVD.
 10. An apparatus for authenticating and searching data comprising: means for authenticating a data file received from an originating system; means for creating first and second self-authenticating copies of the data file; means for storing the first self-authenticating copy of the data file; means for indexing components of the second self-authenticating copy of the data file; means for searching the indexed components; and means for monitoring user accessibility to the means for authenticating the data file, the means for creating the copies, the means for storing the first copy, the means for indexing the components of the second copy, and the means for searching the indexed components.
 11. The apparatus as in claim 10 further comprising means for detecting and filtering spam from the data file
 12. the apparatus as in claim 10 further comprising means for copying stored data. 